Mul-T-Lock Analysis

I am starting this page so that readers can follow along as I attempt to compromise the Mul-T-Lock cylinder by design. The goal is
to find fundamental flaws or even benign details that would allow an attacker to gain a foothold. The purpose of this project is
not to pick an MTL; a lot of folks have done this already. I seek to find a technique and/or build a tool which can consistently
defeat these locks. The reason that I'm posting this is to give other hobbyists an idea of the process that may go into analyzing
a high-security cylinder. I will minimize the amount of editing and revisions made to this page so that the reader can get some
insight into the methodology rather than the results. It is not clear if I will be successful, but I encourage you folks to email
me and share your thoughts. Of course, any ideas presented will likely be posted here with credit unless otherwise specified.
Hopefully, this page will also provide motivation for me to push on through frustrating times and challenges as they come. Also,
I should note that I'm only working on the cylinders I have (2 MTL Interactive with keys).

Background

It is important to examine what others have done with this cylinder; it will not only provide a guide for possible attack vectors
but also motivation. Firstly, Mul-T-Lock is not pick-proof by any means. Every cylinder they've produced, with the exception of
the new MT5, has been opened by many people. The most popular method appears to be using a mechanical picking tool produced by
H&M that assists in locating the pins. The tool appears to have gone through several revisions to account for new keyways.
Based upon my own limited experience with it, the tool requires very precise calibration to be effective but otherwise is a
quite solid solution. Questions have been raised about whether it can effectively handle the newer serrated outer drivers that
MTL has made standard across their line (as far as I can tell).

The second major attack on MTL cylinders was developed by Eric Michaud of TOOOL USA. Eric found a very clever pin overlifting
exploit that allowed for the defeat of the outer pin stacks. The vulnerability was in the shape of the outer drivers and their
mechanical relationship to the inner drivers. Michaud discovered that when the inner key pins were lifted (and thus the inner
drivers) far enough, it caused the outer driver pins to "lift off" the outer key pins. This creates a massive shearline gap that
is independent of the actual bitting. If MTL used completely indendent outer and inner pin stacks, this vulnerability would not
exist. They responded to Michaud's exploit by drilling a hole in the top of the outer drivers and allowing a small post protruding
from the inner drivers to pass through it. This disabled the technique because if the inner driver was overlifted, the small post
would stop against the top of the pin chambers/spring cover.

Finally, we will discuss skilled picking attempts against Mul-T-Lock cylinders. These cylinders have been successfully picked open
with both standard picking tools and also specialty picks designed for MTL. Multiple videos of these openings can be found on
YouTube and because some have been verified, their authenticty is not usually argued. The successful techniques used include both
single-pin picking and raking. There have also been unconfirmed reports of successful bumpings of these cylinders. There is no
doubt that these locks are difficult to pick, but they are far from pick-proof.

Mul-T-Lock Pins

MTL uses a very unique telescopic pin arrangement to improve key control and pick resistance. The idea of pin stacks
inside pin stacks is the heart of Mul-T-Lock's design. We will refer to these as the inner and outer stacks for
convenience. There are 20 pins in a "5-pin" Mul-T-Lock Interactive: 5 inner-key-pins, 5 inner-driver-pins, 5 outer-key-pins,
and 5 outer-driver-pins. The inner pin stacks (drivers and key pins) rest inside the outer stacks (which are hollow).
Dimples in the key allow the outer pins to rest at their shearline.
Small "islands" in the center of thes dimples control the lift of the
inner pin stacks allowing them to reach their shearlines.

In Interactive cylinders, one of the pin stacks is bitted in a special way. The key pins' (both inner and outer) are sized
in such a way that they must be lifted very high in order to set. In fact, they must be lifted so high that even a normal metal
blank with no cuts can't lift it high enough. Instead it requires that this blank have a movable "interactive" element that can be
lifted by a springloaded pin on the bottom of the keyway and allow it (the interactive element) to rise above the surface of the blank
to set the interactive pin. For more information on this feature, check out the entry on "floating elements" on the
Lock Mechanisms page.

Now on to the details of the pins; I can only describe the pins that I find in the locks I have. The outer and inner drivers are
packaged together which makes them easy to deal with. The inner driver is implemented as a little springloaded post that sticks
out of the outer driver toward the inner key pin. The inner driver pin is smooth and does not have any anti-picking security features.
The outer drivers, on the other hand, are serrated (4 rings) toward the bottom. Also, the inner driver does poke through the
top of the outer driver to prevent Michaud's overlift attack. The outer key pin is smooth and seems to have very
heavy bevelling/chamfering on the top. The inner key pin has a little lip around its top.

Pin Features

Ok, first we'll think about this thing in the context of plain-jane picking. The tools and techniques that others have used in
the past shows that the outer and inner pin stacks can be picked completely seperately. My experience has shown that there is some
kind of tricky interaction going on that makes it not quite this straight-forward. When the outer stacks have been set, there is a
huge plug rotation that is absolutely unmistakable. Once this occurs, the attacker can go for the inner stacks. The biggest obstacle
is the serrated outer drivers; in my opinion, it is really these that provide the security. We may be able to overcome these using
reverse picking. This is a technique where you slowly lower a binding pin down to the shearline rather than lifting it there.
This option looks particularly attractive because the outer key pin is not only smooth but also has a deep chamfer at the top. When
this is combined with the very hard sharp angle found on the bottom of the outer driver, it should produce a nice shelf at the shearline
for us to lower the pin to.

On the other hand, the inner driver pins are smooth and this makes the inner stacks a good target for normal picking. A curious detail is
found in the inner key pins; a small lip designed to prevent them from falling straight through the outer key pins during disassembly by a
locksmith. This lip would also make it difficult to use reverse picking on the inner pin stacks. So we've found a good starting point:

1) First use reverse-picking to set the outer pins.

2) Look for the large plug rotation indicating the outer stacks are set.

3) Next use normal picking to set the inner pins.

4) Open.

This will serve as a guide and branching-off point until we find something better.

Picking a Short Stack

I've been experimenting with picking a lock pinned with only one stack insterted right in the front. This allows easier access
with tools and the ability to visually observe pin interactions. Also, I should note that the stack used was actually the
interactive one. I've been playing with this pin stack because it respresents a lifting extreme and results found analyzing
it should be applicable to all possible stacks in most cases. So far I found two interesting things:

1: Outer pin stacks are easier to reverse pick (overlift then carefully let down until set).

2: Once the outers are set, inner pin stacks can be set by lifting the outer key-pins.

Here is a description of the process I used to pick this single pin stack. Let me know if you folks are able to reproduce
these results. A plain-jane double-ended twisted tension wrench and slightly-modified (filed edges) Peterson half-diamond
were used. Under tension, lift the outer stack very high; it actually feels like it sets but this is likely just a serration
popping out of the shearline. The entire stack will stay up (binding on the outer key pin) once overlifted. Now slowly and
carefully release tension until the stack clicks down a bit. This process is called reverse picking and works very well on these
pins because there are no security features on the outer key-pins. At this point, you will notice a large plug rotation. What
happened is that there are no longer any outer drivers blocking the shearline and the clearance between outer and inner drivers
allowed the plug to rotate a bit. The outer key pin will loose in the plug until lifted to a particular height. When lifted
high enough, the outer key-pin will bump into the inner driver pin. Continue lifting, pressing against the binding inner key-pin,
until it sets. Once this inner stack is set, the lock will open.

Long Pins

The above inner-pin-setting technique works great on the 2-3 shortest outer key-pins, but does not on the longer ones.
The problem is that once the outer pin is set, the inner driver is poking inside the set outer key-pin. This prevents the
large plug rotation that normally goes along with setting the outer stack. Also, you will find that the set outer key-pin
is not loose in the plug as expected. It binds on that inner driver thats poking into its hollow center. The only way to
set that inner stack is get in there with something thin. You press the inner key-pin until it contacts the inner driver-pin
and continue lifting (it will be binding) until the inner stack sets. I'm working on a tool for setting these inner pins but
for now I'm working with a bent paperclip.

So overall, you should be using reverse picking to set the outer stacks until you feel they are set. Its a bit of a guessing
game for now, but we'll try to find a way to more easily identify this state later. Now that we are assuming the outer stacks
are all set, its time to work on the inners. Work from pin to pin testing the outer key-pins for binding. The pins that feel
loose are likely short and can be dealt with later; ignore them for now. When you find a binding pin, lift it until you feel
it stop (it will not feel like a "set"). This exposes the inner pin (which should be loose). Use your special tool(or paperclip)
to lift the inner pin until it binds; continue lifting until it sets. Once you have set all of the long pin inner-stacks, the
large plug rotation will happen. From here, its a good idea to let off a little tension to get everything settled. Now simply
use the outer key-pin lifting method to set those remaining inner stacks.

Partial Outer Pin Decoding

Using the above techniques, it may be possible to determine if an outer pin is long or short. First, pick a binding outer pin stack. Now feel for the
outer key pin again. If it feels loose under tension, this means that it is a short pin or any variety of false-set pin. Long pins may or may not bind
against the inner drivers when false set; tolerances should determine this. That said, further experimentation may show a consistency one way or
the other. Long outer key pins will always bind against inner driver when properly set, however. I have not done much hands-on with this decoding
theory yet, but I encourage you folks to take a stab. Let me know if it works or seems like rubbish.